dridex | ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862

General

Target

ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862.dll
Size

2.0MB
MD5

c310c7db42c40895be867d7bc96f7047
SHA1

f17440cf1fd4ddce619ac0a0ce78ec05efc3b658
SHA256

ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862
SHA512

268f4d01d481d5f941ecb64ef5103c0a21c3ea977abd834360dd04437d8b2d2d5287ebd2cc1f2f662d138dfeda74ea930a99a29fcb04b18f0af9351d7c201901
SSDEEP

12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3364-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

LicensingUI.exeSndVol.exemsdt.exe

pid process

4604 LicensingUI.exe
1588 SndVol.exe
1792 msdt.exe
Loads dropped DLL 3 IoCs

Processes:

LicensingUI.exeSndVol.exemsdt.exe

pid process

4604 LicensingUI.exe
1588 SndVol.exe
1792 msdt.exe

pid	process
4604	LicensingUI.exe
1588	SndVol.exe
1792	msdt.exe

pid	process
4604	LicensingUI.exe
1588	SndVol.exe
1792	msdt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyaxxifxvt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\L8ZUQ7~1\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeLicensingUI.exeSndVol.exemsdt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3472	rundll32.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3364 wrote to memory of 2120	3364	LicensingUI.exe
PID 3364 wrote to memory of 2120	3364	LicensingUI.exe
PID 3364 wrote to memory of 4604	3364	LicensingUI.exe
PID 3364 wrote to memory of 4604	3364	LicensingUI.exe
PID 3364 wrote to memory of 3008	3364	SndVol.exe
PID 3364 wrote to memory of 3008	3364	SndVol.exe
PID 3364 wrote to memory of 1588	3364	SndVol.exe
PID 3364 wrote to memory of 1588	3364	SndVol.exe
PID 3364 wrote to memory of 1524	3364	msdt.exe
PID 3364 wrote to memory of 1524	3364	msdt.exe
PID 3364 wrote to memory of 1792	3364	msdt.exe
PID 3364 wrote to memory of 1792	3364	msdt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:2120

C:\Users\Admin\AppData\Local\cTEifEO\LicensingUI.exe
C:\Users\Admin\AppData\Local\cTEifEO\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4604

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\eTj6nX\SndVol.exe
C:\Users\Admin\AppData\Local\eTj6nX\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1588

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\B9vNYOy\msdt.exe
C:\Users\Admin\AppData\Local\B9vNYOy\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\B9vNYOy\DUI70.dll
Filesize
2.3MB

MD5
5faa922d99fd6787a2d781c7d82d6c77

SHA1
17701e538e66f984a40b00445d75d4f7fe192524

SHA256
d1173c7ea459a6af6bc7c68467bff4c39d0399a643d59252b12c4d667993ef58

SHA512
76de5b5ff10a6514ab24bfe351f50df3645dd3bfadc61a27982b2e5c6f20be6927f5e2afad17de3d00b42dbaaba4a9995316857dbddd01d824872a1bdf8aaefc

Download Submit
C:\Users\Admin\AppData\Local\B9vNYOy\msdt.exe
Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
C:\Users\Admin\AppData\Local\cTEifEO\DUI70.dll
Filesize
2.3MB

MD5
f153daf04c7ce473909d2ab1c14f51e7

SHA1
6084d1974d3086e4de9c70cc86362733a8862f4f

SHA256
16e6f9e428801055225d5b72011dec0e36f2567f3ebc430100bf92cb584244cb

SHA512
273c5664f9ba62fc9aa7f19e4067a2689f2debdb6ba54c871eafd63465c995e57e1343fcd0e567411d6b10a45788ff9f459a2ba863828b99cbaca94614ff69af

Download Submit
C:\Users\Admin\AppData\Local\cTEifEO\LicensingUI.exe
Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\eTj6nX\SndVol.exe
Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\eTj6nX\UxTheme.dll
Filesize
2.0MB

MD5
0c84d971bc85ffd296a00e15ae7dac87

SHA1
047208f10ad52e68bda95aa112b066e6284d4dcb

SHA256
d079dbe4eabbb972e0efc1d2c8490a3a61c9d70fd713b975a0ecfc0aff63b43b

SHA512
de76228a1ac86cfbf1a5eed5a2c48d0e8babb4b8ccc98e65f2b091c1ec2ae727d547ba4a56e2cd9ab11b0aee1f6887aa722424d6f871314cd524cde07d345132

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kscubvdexgimjec.lnk
Filesize
1KB

MD5
a72fe8783c562eb3772f03074af6ba67

SHA1
53874ed135a4ca479d10dffd410a1e38cec7d1bc

SHA256
df9a64bcd1b16393cfb7760171c916d9000c0703de0deb764e9acb0d6d4abb14

SHA512
b2a7c041459c1149918e8fb9bfe1f6d5d11a7044678601b07b97b5a520ec471906f86f0f4aa9e9cf4354840921cf91d555af6ec81fc8c22faaa3d3ae37a63a34

Download Submit
memory/1588-98-0x0000024734130000-0x0000024734137000-memory.dmp

Filesize
28KB

Download
memory/3364-28-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-23-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-73-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/3364-68-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-52-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-49-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-48-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-47-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-46-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-45-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-44-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-43-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-42-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-41-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-40-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-39-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-38-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-37-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-36-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-34-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-32-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-31-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-30-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-29-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-6-0x00007FFA3611A000-0x00007FFA3611B000-memory.dmp

Filesize
4KB

Download
memory/3364-27-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-26-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-25-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-24-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3364-22-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-20-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-19-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-16-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-18-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-70-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-17-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-15-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-13-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-59-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-12-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-11-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-10-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-51-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-35-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-33-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-21-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-8-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-14-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-74-0x00007FFA37880000-0x00007FFA37890000-memory.dmp

Filesize
64KB

Download
memory/3364-50-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3364-9-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3472-7-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/3472-3-0x000002B7D7DE0000-0x000002B7D7DE7000-memory.dmp

Filesize
28KB

Download
memory/3472-0-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/4604-87-0x00000204A07C0000-0x00000204A07C7000-memory.dmp

Filesize
28KB

Download
memory/4604-81-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads